In the Linux kernel, the following vulnerability has been resolved:
mptcp: really cope with fastopen race
Fastopen and PM-trigger subflow shutdown can race, as reported by syzkaller.
In my first attempt to close such race, I missed the fact that the subflow status can change again before the subflow_state_change callback is invoked.
Address the issue additionally copying with all the states directly reachable from TCP_FIN_WAIT1.